Drata validates that access policies for AWS S3 buckets are set to deny unencrypted, HTTP requests. At the Amazon S3 bucket level, you can configure permissions through a bucket policymaking the objects accessible only through HTTPS.

By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only
allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny
access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly
denying HTTP requests will not comply with this recommendation.

ASSOCIATED DRATA CONTROL

This test is part of the Encryption in Transit control (DCF-55) that ensures data in transit is encrypted using strong cryptographic algorithms.

WHAT TO DO IF A TEST FAILS

If Drata finds that AWS S3 bucket policies do not explicitly deny access to objects through unencrypted, HTTP requests, the test will fail. By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS, you also have to explicitly deny access to HTTP requests.

STEPS TO REMEDIATE

From the AWS S3 console, select the checkbox next to the failing bucket(s).
Click on 'Permissions', then click on 'Bucket Policy'.

Add the following to the existing policy, also filling in the required information:

{
'Sid': <optional>',
'Effect': 'Deny',
'Principal': '*',
'Action': 's3:*',
'Resource': 'arn:aws:s3:::<bucket_name>/*',
'Condition': { 'Bool': { 'aws:SecureTransport': 'false' } } 
}

Save changes and repeat for all failing buckets

Center for Internet Security (CIS)

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.